<html>
  <head>
    <title>HTML Sanitizer Tests</title>
<script type="text/javascript" src="html4-defs.js"></script>
<script type="text/javascript" src="html-sanitizer.js"></script>
  </head>

  <body>
    <script>
    /**
     * Strips unsafe tags and attributes from html.
     * @param {string} htmlText to sanitize
     * @param {Function} opt_urlPolicy -- a transform to apply to url attribute
     *     values.
     * @param {Function} opt_nmTokenPolicy : string -> string? -- a transform to
     *     apply to names, ids, and classes.
     * @return {string} html
     */
    function html_sanitize2(htmlText, opt_urlPolicy, opt_nmTokenPolicy) {
      var out = [];
      html.makeHtmlSanitizer(
          function sanitizeAttribs(tagName, attribs) {
            for (var i = 0; i < attribs.length; i += 2) {
              var attribName = attribs[i];
              var value = attribs[i + 1];
              var atype = null, attribKey;
              if ((attribKey = tagName + '::' + attribName,
                   html4.ATTRIBS.hasOwnProperty(attribKey))
                  || (attribKey = '*::' + attribName,
                      html4.ATTRIBS.hasOwnProperty(attribKey))) {
                atype = html4.ATTRIBS[attribKey];
              }
              if (atype !== null) {
                switch (atype) {
                  case html4.atype.SCRIPT:
                  case html4.atype.STYLE:
                    value = null;
                    break;
                  case html4.atype.ID:
                    value = 'a1_' + value;
                    break;
                  case html4.atype.IDREF:
                  case html4.atype.IDREFS:
                  case html4.atype.GLOBAL_NAME:
                  case html4.atype.LOCAL_NAME:
                  case html4.atype.CLASSES:
                    value = opt_nmTokenPolicy ? opt_nmTokenPolicy(value) : value;
                    break;
                  case html4.atype.URI:
                    value = opt_urlPolicy && opt_urlPolicy(value);
                    break;
                  case html4.atype.URI_FRAGMENT:
                    if (value && '#' === value.charAt(0)) {
                      value = opt_nmTokenPolicy ? opt_nmTokenPolicy(value) : value;
                      if (value) { value = '#' + value; }
                    } else {
                      value = null;
                    }
                    break;
                }
              } else {
                value = null;
              }
              attribs[i + 1] = value;
            }
            return attribs;
          })(htmlText, out);
      return out.join('');
    }
    
      function interactiveTest(html) {
        try {
          var sanitized = html_sanitize2(html);
          var results = document.getElementById('results');
          while (results.firstChild) {
            results.removeChild(results.firstChild);
          }
          results.appendChild(document.createTextNode(sanitized));
        } catch (ex) {
          console.error('%s', ex);
        }
      }
    </script>
    <form onsubmit="interactiveTest(this.elements.html.value); return false">
      <textarea cols="80" rows="20" name="html"></textarea>
      <input type="submit" value="Sanitize" />
    </form>

    <div id="results"></div>
  </body>
</html>
